ArkProject: NFT Bridge

Summary

The _whiteListCollection function, used to manage a whitelist of token addresses, has a critical issue that can lead to Denial of Service (DoS) attacks and potential loss of tokens. The function operates on an unbounded _collections array, which continuously grows without any mechanism to reduce its size. This unbounded growth leads to excessive gas consumption, which can cause the function to revert, affecting both the withdrawTokens and whiteList functions. This situation can prevent tokens from being withdrawn on L1 after being deposited on L2, resulting in a permanent loss of funds.

Vulnerability Details

Function Overview:

• The _whiteListCollection function adds a token address to the _collections array if it is not already present and updates the _whiteList mapping to enable or disable the token.

• It checks if the token already exists in the _collections array by iterating through the array. If the token is not found, it adds the token to the array.

Unbounded Array Growth:

• The _collections array grows each time a new token is added, without any mechanism to remove elements.

• As the array grows, the loop within _whiteListCollection becomes more gas-intensive, eventually reaching a point where the gas cost exceeds the block gas limit, causing the function to revert.

Denial of Service (DoS):

• whiteList Function: This function calls _whiteListCollection to add or remove tokens from the whitelist. Due to the unbounded array growth, calling whiteList can eventually become impossible, leading to a DoS for this function.

• withdrawTokens Function: This function also calls _whiteListCollection when a new token is deployed on L1 after a deposit on L2. If _whiteListCollection reverts due to excessive gas usage, the withdrawTokens function will fail, preventing the user from withdrawing tokens.

Potential Loss of Tokens:

• If _l2ToL1Addresses mapping returns address(0) (indicating the token is not already mapped), the withdrawTokens function will attempt to deploy a new token and call _whiteListCollection. If this call fails due to the reasons mentioned above, the user will be unable to withdraw the token on L1, effectively resulting in the loss of tokens that were deposited on L2.

Impact

Denial of Service: Both the whiteList and withdrawTokens functions can become non-functional as the _collections array grows, leading to a DoS attack vector.

Loss of Funds: Tokens that are not yet mapped in _l2ToL1Addresses cannot be withdrawn from L1 if the _whiteListCollection function reverts, leading to a potential loss of tokens deposited on L2.

Tools Used

Manual Code Review

Recommendations

Complete Removal of the _collections Array: Since the _collections array serves no practical purpose as it is not called on another function apart from this _whiteListCollection. It only contributes to the growing gas costs and potential DoS attacks, it should be removed from the contract.